Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Roll-your-own API Management Platform with NGIN...

Sean Cribbs
September 24, 2015
Technology
10
1.1k

Roll-your-own API Management Platform with NGINX and Lua

We recently replaced a proprietary API management solution with an in-house implementation built with NGINX and Lua that let us get to a continuous delivery practice in a handful of months. Learn about our development process and the overall architecture that allowed us to write minimal amounts of code, enjoying native code performance while permitting interactive coding, and how we leveraged other open source tools like Vagrant, Ansible, and OpenStack to build an automation-rich delivery pipeline. We will also take an in-depth look at our capacity management approach that differs from the rate limiting concept prevalent in the API community.

Sean Cribbs

September 24, 2015
Tweet

More Decks by Sean Cribbs

See All by Sean Cribbs
Adopting Stream Processing for Instrumentation
seancribbs
1
360
Supervisors, Links and Monitors
seancribbs
0
92
Getting the Word Out: Membership, Dissemination, and Population Protocols
seancribbs
0
340
Reliable High-Performance HTTP Infrastructure with nginx and Lua
seancribbs
0
570
The Refreshingly Rewarding Realm of Research Papers
seancribbs
0
360
Techniques for Metaprogramming in Erlang
seancribbs
2
1.4k
The Final Causal Frontier
seancribbs
6
910
Erlang - Building Blocks for Global Distributed Systems
seancribbs
4
790
A Brief History of Time in Riak
seancribbs
4
1.7k

Other Decks in Technology

See All in Technology
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
260
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
190
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
180
AIチャットボット開発への生成AI活用
ryomrt
0
170
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.7k
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
200
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
4
230

Featured

See All Featured
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Happy Clients
brianwarren
98
6.7k
Music & Morning Musume
bryan
46
6.2k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
The Pragmatic Product Professional
lauravandoore
31
6.3k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
A designer walks into a library…
pauljervisheath
204
24k

Transcript

  1. Roll-your-own API Management Platform 
 with NGINX and Lua Sean

    Cribbs, Comcast Cable @seancribbs

  2. About me

  3. Background

  4. None

  5. Consumer

  6. Internal Consumer

  7. Partner Internal Consumer

  8. API Management

  9. API Management access control capacity management

  10. CodeBig 1 API Consumer

  11. CodeBig 1 API Consumer CDN • traffic shaping • caching

  12. CodeBig 1 API Consumer CDN • traffic shaping • caching

    • access control • rate limiting Vendor APIM

  13. CodeBig 1 API Consumer CDN • traffic shaping • caching

    • access control • rate limiting Vendor APIM Internet Comcast LB • DNS RR • VIP

  14. CodeBig 1 API Consumer CDN • traffic shaping • caching

    • access control • rate limiting Vendor APIM • DMZ intermediary • path-host mapping iAuth Internet Comcast LB • DNS RR • VIP

  15. CodeBig 1 API Consumer CDN • traffic shaping • caching

    • access control • rate limiting Vendor APIM • DMZ intermediary • path-host mapping iAuth Internet Comcast Origin APIs LB • DNS RR • VIP

  16. Challenges

  17. Challenges visibility

  18. Challenges visibility responsibility

  19. Challenges visibility responsibility scope

  20. Challenges visibility responsibility scope latency

  21. Challenges visibility responsibility scope latency security

  22. CodeBig 2

  23. CodeBig 2 simplify architecture

  24. CodeBig 2 simplify architecture increase visibility

  25. CodeBig 2 simplify architecture increase visibility use open-source tools

  26. Architecture

  27. custom  logic HTTP Proxy

  28. Lua

  29. -­‐-­‐  Validates  the  OAuth  signature   -­‐-­‐  @return  Const.HTTP_UNAUTHORIZED  if

     either  the  key  or  signature  is  invalid   -­‐-­‐  this  method  is  internal  and  should  not  be  called  directly   function  _M.validate_signature(self)          local  headers  =  self.req.get_oauth_params()          local  key  =  headers[Const.OAUTH_CONSUMER_KEY]          local  keyconf  =  self.conf.keys[key]          if  keyconf  ==  nil  then                  return  {                          code  =  Const.HTTP_UNAUTHORIZED,                          error  =  Const.ERROR_INVALID_CONSUMER_KEY                  }          end          local  sig  =  get_hmac_signature(self.req,  keyconf.secret)          if  sig  ~=  headers[Const.OAUTH_SIGNATURE]  then                  return  {                          code  =  Const.HTTP_UNAUTHORIZED,                          error  =  Const.ERROR_INVALID_SIGNATURE                  }          end   end

  30. Lua < 3K LoC!!

  31. Intra-Datacenter VIP

  32. Intra-Datacenter VIP haproxy haproxy …

  33. Intra-Datacenter VIP … haproxy haproxy …

  34. Intra-Datacenter VIP Origin APIs … haproxy haproxy …

  35. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter

  36. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter dc1-­‐vip.    

             A              10.1.0.1 dc2-­‐vip.              A              10.2.0.1 dc3-­‐vip.              A              10.3.0.1

  37. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter vod vod acct

    acct dc1-­‐vip.              A              10.1.0.1 dc2-­‐vip.              A              10.2.0.1 dc3-­‐vip.              A              10.3.0.1

  38. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter vod vod acct

    acct dc1-­‐vip.              A              10.1.0.1 dc2-­‐vip.              A              10.2.0.1 dc3-­‐vip.              A              10.3.0.1 vod-­‐dc1.              CNAME      dc1-­‐vip. vod-­‐dc2.              CNAME      dc2-­‐vip.

  39. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter vod vod acct

    acct dc1-­‐vip.              A              10.1.0.1 dc2-­‐vip.              A              10.2.0.1 dc3-­‐vip.              A              10.3.0.1 vod-­‐dc1.              CNAME      dc1-­‐vip. vod-­‐dc2.              CNAME      dc2-­‐vip. vod-­‐dc1-­‐fo.        CNAME      dc1-­‐vip. vod-­‐dc1-­‐fo.        CNAME      dc2-­‐vip.

  40. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter vod vod acct

    acct dc1-­‐vip.              A              10.1.0.1 dc2-­‐vip.              A              10.2.0.1 dc3-­‐vip.              A              10.3.0.1 vod-­‐dc1.              CNAME      dc1-­‐vip. vod-­‐dc2.              CNAME      dc2-­‐vip. vod-­‐dc1-­‐fo.        CNAME      dc1-­‐vip. vod-­‐dc1-­‐fo.        CNAME      dc2-­‐vip. vod.                      CNAME      vod-­‐dc1. vod.                      CNAME      vod-­‐dc2.

  41. Capacity Management

  42. N = XR

  43. N = XR # concurrent requests

  44. N = XR # concurrent requests transaction rate

  45. N = XR # concurrent requests transaction rate response time

  46. N = XR # concurrent requests transaction rate response time

    Little’s Law

  47. client origin APIM 2 req/s 1s N = XR =

    2 req/s x 1s = 2 req

  48. client origin APIM 2 req/s 10s N = XR =

    2 req/s x 10s = 20 req

  49. client origin APIM 2 req/s 10s N = XR =

    2 req/s x 10s = 20 req

  50. Concurrent Request Limiting lua_shared_dict            

     counts    50M;   access_by_lua          …      +1   log_by_lua                …      -­‐1

  51. Testing

  52. function  TestOAuth1:test_reject_request_when_timestamp_expired()          -­‐-­‐  default  timestamp  is

     01/01/2014  UTC  so  it's  definitely  stale          local  conf  =  Conf:new({validate_timestamp  =  true,  ttl  =  300})          local  header  =  Header:new()          local  req  =  Req:new({oauth_params  =  header})          local  oauth  =  OAuth1:new(conf,  req)          local  res  =  oauth:authorize()          assertEquals(res.code,  Const.HTTP_UNAUTHORIZED)          assertEquals(res.error,  Const.ERROR_EXPIRED_TIMESTAMP)   end   lu  =  LuaUnit.new()   lu:setOutputType("tap")   os.exit(lu:runSuite())

  53. ngx.log(ngx.ERR,  “oops”)

  54. function  get_oauth_params_from_auth_header(env)      env  =  env  or  ngx  

       local  auth_hdrs  =  env.req.get_headers()["Authorization"]      ...

  55. function  TestRequest:test_retrieve_oauth_params_from_header()      local  header  =  [[Oauth  realm="example.com",  ]]

             ..  [[oauth_consumer_key="mykey",]]          ..  [[oauth_version="1.0"]]      local  ngx  =  StubNgx:new({  Authorization  =  header  })      local  res  =  get_oauth_params_from_auth_header(ngx)      assertEquals("1.0",  res.oauth_version)      ...
  56. None
  57. None

  58. test harness

  59. test harness

  60. test harness

  61. test harness

  62. test harness nginx-­‐oauth1.conf

  63. test harness nginx-­‐oauth1.conf

  64. test harness nginx-­‐oauth1.conf

  65. def  spec_using_valid_oauth_credentials(self,  harness):          auth  =  OAuth1("mykey",

     "mysecret")          body_data  =  "{'function':  'tick'}"          harness.reset_data()          response  =  requests.post(root_url,  data=body_data,  auth=auth,                                                            headers={'Content-­‐Type':                                                                              'application/json'})          assert  response.status_code  ==  200          assert  "Authorization"  in  harness.forwarded_headers          assert  "Oauth"  in  harness.forwarded_headers["Authorization"]          assert  harness.forwarded_body  ==  body_data  

  66. Deployment

  67. None

  68. Configs in VCS Playbooks in VCS

  69. Configs in VCS config templates API configs vault
 (keys) Playbooks

    in VCS

  70. Configs in VCS config templates API configs vault
 (keys) Playbooks

    in VCS

  71. Configs in VCS config templates API configs vault
 (keys) Playbooks

    in VCS vip.conf vhost.lua vhost.conf vhost.conf vhost.lua nginx.conf

  72. Configs in VCS config templates API configs vault
 (keys) Playbooks

    in VCS vip.conf vhost.lua vhost.conf vhost.conf vhost.lua nginx.conf

  73. Configs in VCS config templates API configs vault
 (keys) ssh

    Playbooks in VCS vip.conf vhost.lua vhost.conf vhost.conf vhost.lua nginx.conf

  74. Configs in VCS config templates API configs vault
 (keys) ssh

    Playbooks in VCS vip.conf vhost.lua vhost.conf vhost.conf vhost.lua nginx.conf

  75. Results

  76. Performance

  77. switch Performance

  78. switch mean 99th Performance

  79. switch ~10x mean 99th Performance

  80. Stability

  81. switch Stability

  82. Impact index=codebig  host=*.cimops.net  source="/var/log/nginx/access.log"  |   eval  d  =  request_time

     -­‐  upstream_response_time  |  
 timechart  span=1m  perc99(d)  max(d)

  83. Impact seconds index=codebig  host=*.cimops.net  source="/var/log/nginx/access.log"  |   eval  d  =

     request_time  -­‐  upstream_response_time  |  
 timechart  span=1m  perc99(d)  max(d)

  84. Impact seconds index=codebig  host=*.cimops.net  source="/var/log/nginx/access.log"  |   eval  d  =

     request_time  -­‐  upstream_response_time  |  
 timechart  span=1m  perc99(d)  max(d) 99th

  85. Impact seconds index=codebig  host=*.cimops.net  source="/var/log/nginx/access.log"  |   eval  d  =

     request_time  -­‐  upstream_response_time  |  
 timechart  span=1m  perc99(d)  max(d) 99th max

  86. Successes

  87. Successes great performance improvements

  88. Successes great performance improvements 68 endpoints in August

  89. Successes great performance improvements 68 endpoints in August ~150 endpoints

    in September

  90. Challenges

  91. Challenges 3rd-party Lua ecosystem

  92. Challenges 3rd-party Lua ecosystem deployment playbook churn

  93. Challenges 3rd-party Lua ecosystem deployment playbook churn configuration file size

  94. Challenges 3rd-party Lua ecosystem deployment playbook churn configuration file size

    kernel tuning

  95. Challenges 3rd-party Lua ecosystem deployment playbook churn configuration file size

    kernel tuning owning availability

  96. Conclusion

  97. Conclusion NGINX + Lua for HTTP middleware

  98. Conclusion NGINX + Lua for HTTP middleware Automated test and

    deployment pipeline

  99. Conclusion NGINX + Lua for HTTP middleware Automated test and

    deployment pipeline Concurrent request limiting

  100. Conclusion NGINX + Lua for HTTP middleware Automated test and

    deployment pipeline Concurrent request limiting Operational flexibility

  101. Thanks